more on LAST TIME I USE HOTELS.COM djf Ernst & Young laptop loss exposes 243,000 Hotels.com customers

[David Farber <dave () farber net>]

Begin forwarded message:

From: Peter Capek <capek () ieee org>
Date: June 2, 2006 8:42:39 PM EDT
To: dave () farber net
Subject: Re: [IP] more on LAST TIME I USE HOTELS.COM djf Ernst &  
Young laptop loss exposes 243,000 Hotels.com customers

On 6/2/06, Phil Kos PhilK () quardev com> wrote:

It might be satisfying to merely stop dealing with Hotels.com as you
stated, but real damage has been done; so I wouldn't feel that it was
sufficient.  And it's also problematic, because all companies are
vulnerable to such breaches by their partners, and all companies have
partnerships like this; so it's not like there are any real
alternatives.

To me, the problem seems to be that we are frequently forced to agree
to these transitive trust relationships without any corresponding
reverse transitive responsibility.  When we trust a company we're
explicitly doing business with, we implicitly trust the partners they
explicitly do business with, yet we ourselves have no leverage over
those companies.  I find this not only unsatisfying, but downright
disturbing -- to the extent that I choose not to participate in many
commercial activities because of it, and only rarely give out
personal information to anyone, for anything (usually only when
required by law, or necessary to obtain critical services).

...

Mr. Stewart makes an interesting point (if I read him correctly) --
that the fault is truly E&Y's, but because of consolidation in their
industry, there are virtually no alternatives to E&Y, so Hotels.com
is essentially helpless to improve the situation, and punitive
actions against them are therefore misguided.  However, this is
perhaps the most deeply unsatisfying piece of the whole puzzle.  Can
this really be as good as it gets?  If so, why do we trust any of
these companies with ANYTHING?  Are we all really at the mercy of the
weakest links, with no hope for improvement?

I think this analysis is largely correct.   And while I agree that  
those who promise to
protect my information, and those with whom the do business, need to  
be held to
their commitments (as they will most surely hold me to mine), for me  
the most important
aspect of this problem is narrower.   I wouldn't much care if someone  
knows my SSN
if that SSN weren't also, effectively, the password for committing  
identity theft against me.
Not just for the next year, when I might be graciously granted credit  
monitoring service,
but for the rest of my life.

Twelve states have passed law granting their residents the right, as  
I understand it, to
"lock" their identity at the credit bureaus, effectively preventing  
any new credit lines
from being opened.  This certainly imposes an inconvenience on the  
person who choses
to use it, but does give a certain peace of mind.  My state (NY) is  
not one of the twelve, but
I plan to try to lock my identity in this way nonetheless.

I find it somewhat ironic that, while millions of people are actual  
victims of identity theft,
and all of us are potential (indeed, perhaps even likely, in light of  
recent events) victims of
identity theft, our esteemed Attorney General has focused on not on  
protecting our
information, but on forcing the collection of even more data, which I  
fear will, once again,
be inadequately protected and would be better off not collected in  
the first place.

                   Peter Capek

-------------------------------------
You are subscribed as lists-ip () insecure org
To manage your subscription, go to
 http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/